[deliverable/linux.git] / net / ipv4 / netfilter / Kconfig

#
# IP netfilter configuration
#

menu "IP: Netfilter Configuration"
	depends on INET && NETFILTER

config NF_CONNTRACK_IPV4
	tristate "IPv4 connection tracking support (required for NAT)"
	depends on NF_CONNTRACK
	---help---
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is IPv4 support on Layer 3 independent connection tracking.
	  Layer 3 independent connection tracking is experimental scheme
	  which generalize ip_conntrack to support other layer 3 protocols.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_PROC_COMPAT
	bool "proc/sysctl compatibility with old connection tracking"
	depends on NF_CONNTRACK_IPV4
	default y
	help
	  This option enables /proc and sysctl compatibility with the old
	  layer 3 dependant connection tracking. This is needed to keep
	  old programs that have not been adapted to the new names working.

	  If unsure, say Y.

config IP_NF_QUEUE
	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
	help
	  Netfilter has the ability to queue packets to user space: the
	  netlink device can be used to access them using this driver.

	  This option enables the old IPv4-only "ip_queue" implementation
	  which has been obsoleted by the new "nfnetlink_queue" code (see
	  CONFIG_NETFILTER_NETLINK_QUEUE).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_IPTABLES
	tristate "IP tables support (required for filtering/masq/NAT)"
	select NETFILTER_XTABLES
	help
	  iptables is a general, extensible packet identification framework.
	  The packet filtering and full NAT (masquerading, port forwarding,
	  etc) subsystems now use this: say `Y' or `M' here if you want to use
	  either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

# The matches.
config IP_NF_MATCH_IPRANGE
	tristate "IP range match support"
	depends on IP_NF_IPTABLES
	help
	  This option makes possible to match IP addresses against IP address
	  ranges.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_TOS
	tristate "TOS match support"
	depends on IP_NF_IPTABLES
	help
	  TOS matching allows you to match packets based on the Type Of
	  Service fields of the IP packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_RECENT
	tristate "recent match support"
	depends on IP_NF_IPTABLES
	help
	  This match is used for creating one or many lists of recently
	  used addresses and then matching against that/those list(s).

	  Short options are available by using 'iptables -m recent -h'
	  Official Website: <http://snowman.net/projects/ipt_recent/>

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ECN
	tristate "ECN match support"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `ECN' match, which allows you to match against
	  the IPv4 and TCP header ECN fields.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_AH
	tristate "AH match support"
	depends on IP_NF_IPTABLES
	help
	  This match extension allows you to match a range of SPIs
	  inside AH header of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_TTL
	tristate "TTL match support"
	depends on IP_NF_IPTABLES
	help
	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
	  to match packets by their TTL value.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_OWNER
	tristate "Owner match support"
	depends on IP_NF_IPTABLES
	help
	  Packet owner matching allows you to match locally-generated packets
	  based on who created them: the user, group, process or session.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ADDRTYPE
	tristate  'address type match support'
	depends on IP_NF_IPTABLES
	help
	  This option allows you to match what routing thinks of an address,
	  eg. UNICAST, LOCAL, BROADCAST, ...
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.

# `filter', generic and specific targets
config IP_NF_FILTER
	tristate "Packet filtering"
	depends on IP_NF_IPTABLES
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP_NF_FILTER
	help
	  The REJECT target allows a filtering rule to specify that an ICMP
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_LOG
	tristate "LOG target support"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `LOG' target, which allows you to create rules in
	  any iptables table which records the packet header to the syslog.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ULOG
	tristate "ULOG target support"
	depends on IP_NF_IPTABLES
	---help---

	  This option enables the old IPv4-only "ipt_ULOG" implementation
	  which has been obsoleted by the new "nfnetlink_log" code (see
	  CONFIG_NETFILTER_NETLINK_LOG).

	  This option adds a `ULOG' target, which allows you to create rules in
	  any iptables table. The packet is passed to a userspace logging
	  daemon using netlink multicast sockets; unlike the LOG target
	  which can only be viewed through syslog.

	  The appropriate userspace logging daemon (ulogd) may be obtained from
	  <http://www.gnumonks.org/projects/ulogd/>

	  To compile it as a module, choose M here.  If unsure, say N.

# NAT + specific targets: nf_conntrack
config NF_NAT
	tristate "Full NAT"
	depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
	help
	  The Full NAT option allows masquerading, port forwarding and other
	  forms of full Network Address Port Translation.  It is controlled by
	  the `nat' table in iptables: see the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_NEEDED
	bool
	depends on NF_NAT
	default y

config IP_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	depends on NF_NAT
	help
	  Masquerading is a special case of NAT: all outgoing connections are
	  changed to seem to come from a particular interface's address, and
	  if the interface goes down, those connections are lost.  This is
	  only useful for dialup accounts with dynamic IP address (ie. your IP
	  address will be different on next dialup).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REDIRECT
	tristate "REDIRECT target support"
	depends on NF_NAT
	help
	  REDIRECT is a special case of NAT: all incoming connections are
	  mapped onto the incoming interface's address, causing the packets to
	  come to the local machine instead of passing through.  This is
	  useful for transparent proxies.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_NETMAP
	tristate "NETMAP target support"
	depends on NF_NAT
	help
	  NETMAP is an implementation of static 1:1 NAT mapping of network
	  addresses. It maps the network address part, while keeping the host
	  address part intact. It is similar to Fast NAT, except that
	  Netfilter's connection tracking doesn't work well with Fast NAT.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_SAME
	tristate "SAME target support (OBSOLETE)"
	depends on NF_NAT
	help
	  This option adds a `SAME' target, which works like the standard SNAT
	  target, but attempts to give clients the same IP for all connections.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_SNMP_BASIC
	tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
	depends on EXPERIMENTAL && NF_NAT
	---help---

	  This module implements an Application Layer Gateway (ALG) for
	  SNMP payloads.  In conjunction with NAT, it allows a network
	  management system to access multiple private networks with
	  conflicting addresses.  It works by modifying IP addresses
	  inside SNMP payloads to match IP-layer NAT mapping.

	  This is the "basic" form of SNMP-ALG, as described in RFC 2962

	  To compile it as a module, choose M here.  If unsure, say N.

# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
# From kconfig-language.txt:
#
#           <expr> '&&' <expr>                   (6)
#
# (6) Returns the result of min(/expr/, /expr/).
config NF_NAT_PROTO_GRE
	tristate
	depends on NF_NAT && NF_CT_PROTO_GRE

config NF_NAT_FTP
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_FTP

config NF_NAT_IRC
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_IRC

config NF_NAT_TFTP
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_TFTP

config NF_NAT_AMANDA
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_AMANDA

config NF_NAT_PPTP
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_PPTP
	select NF_NAT_PROTO_GRE

config NF_NAT_H323
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_H323

config NF_NAT_SIP
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_SIP

# mangle + specific targets
config IP_NF_MANGLE
	tristate "Packet mangling"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TOS
	tristate "TOS target support"
	depends on IP_NF_MANGLE
	help
	  This option adds a `TOS' target, which allows you to create rules in
	  the `mangle' table which alter the Type Of Service field of an IP
	  packet prior to routing.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ECN
	tristate "ECN target support"
	depends on IP_NF_MANGLE
	---help---
	  This option adds a `ECN' target, which can be used in the iptables mangle
	  table.  

	  You can use this target to remove the ECN bits from the IPv4 header of
	  an IP packet.  This is particularly useful, if you need to work around
	  existing ECN blackholes on the internet, but don't want to disable
	  ECN support in general.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TTL
	tristate  'TTL target support'
	depends on IP_NF_MANGLE
	help
	  This option adds a `TTL' target, which enables the user to modify
	  the TTL value of the IP header.

	  While it is safe to decrement/lower the TTL, this target also enables
	  functionality to increment and set the TTL value of the IP header to
	  arbitrary values.  This is EXTREMELY DANGEROUS since you can easily
	  create immortal packets that loop forever on the network.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_CLUSTERIP
	tristate "CLUSTERIP target support (EXPERIMENTAL)"
	depends on IP_NF_MANGLE && EXPERIMENTAL
	depends on NF_CONNTRACK_IPV4
	select NF_CONNTRACK_MARK
	help
	  The CLUSTERIP target allows you to build load-balancing clusters of
	  network servers without having a dedicated load-balancing
	  router/server/switch.
	
	  To compile it as a module, choose M here.  If unsure, say N.

# raw + specific targets
config IP_NF_RAW
	tristate  'raw table support (required for NOTRACK/TRACE)'
	depends on IP_NF_IPTABLES
	help
	  This option adds a `raw' table to iptables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.

# ARP tables
config IP_NF_ARPTABLES
	tristate "ARP tables support"
	select NETFILTER_XTABLES
	help
	  arptables is a general, extensible packet identification framework.
	  The ARP packet filtering and mangling (manipulation)subsystems
	  use this: say Y or M here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARPFILTER
	tristate "ARP packet filtering"
	depends on IP_NF_ARPTABLES
	help
	  ARP packet filtering defines a table `filter', which has a series of
	  rules for simple ARP packet filtering at local input and
	  local output.  On a bridge, you can also specify filtering rules
	  for forwarded ARP packets. See the man page for arptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARP_MANGLE
	tristate "ARP payload mangling"
	depends on IP_NF_ARPTABLES
	help
	  Allows altering the ARP packet payload: source and destination
	  hardware and network addresses.

endmenu
Commit	Line	Data
1da177e4 LT	1	#
	2	# IP netfilter configuration
	3	#
	4
	5	menu "IP: Netfilter Configuration"
	6	depends on INET && NETFILTER
	7
9fb9cbb1	8	config NF_CONNTRACK_IPV4
c9386cfd PM	9	tristate "IPv4 connection tracking support (required for NAT)"
c9386cfd PM	10	depends on NF_CONNTRACK
9fb9cbb1 YK	11	---help---
	12	Connection tracking keeps a record of what packets have passed
	13	through your machine, in order to figure out how they are related
	14	into connections.
	15
	16	This is IPv4 support on Layer 3 independent connection tracking.
	17	Layer 3 independent connection tracking is experimental scheme
	18	which generalize ip_conntrack to support other layer 3 protocols.
	19
	20	To compile it as a module, choose M here. If unsure, say N.
	21
a999e683 PM	22	config NF_CONNTRACK_PROC_COMPAT
a999e683 PM	23	bool "proc/sysctl compatibility with old connection tracking"
0c4ca1bd	24	depends on NF_CONNTRACK_IPV4
a999e683 PM	25	default y
	26	help
	27	This option enables /proc and sysctl compatibility with the old
	28	layer 3 dependant connection tracking. This is needed to keep
	29	old programs that have not been adapted to the new names working.
	30
	31	If unsure, say Y.
	32
1da177e4	33	config IP_NF_QUEUE
7af4cc3f	34	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
1da177e4 LT	35	help
	36	Netfilter has the ability to queue packets to user space: the
	37	netlink device can be used to access them using this driver.
	38
7af4cc3f HW	39	This option enables the old IPv4-only "ip_queue" implementation
	40	which has been obsoleted by the new "nfnetlink_queue" code (see
	41	CONFIG_NETFILTER_NETLINK_QUEUE).
	42
1da177e4 LT	43	To compile it as a module, choose M here. If unsure, say N.
	44
	45	config IP_NF_IPTABLES
	46	tristate "IP tables support (required for filtering/masq/NAT)"
a3c941b0	47	select NETFILTER_XTABLES
1da177e4 LT	48	help
	49	iptables is a general, extensible packet identification framework.
	50	The packet filtering and full NAT (masquerading, port forwarding,
	51	etc) subsystems now use this: say `Y' or `M' here if you want to use
	52	either of those.
	53
	54	To compile it as a module, choose M here. If unsure, say N.
	55
	56	# The matches.
1da177e4 LT	57	config IP_NF_MATCH_IPRANGE
	58	tristate "IP range match support"
	59	depends on IP_NF_IPTABLES
	60	help
	61	This option makes possible to match IP addresses against IP address
	62	ranges.
	63
	64	To compile it as a module, choose M here. If unsure, say N.
	65
1da177e4 LT	66	config IP_NF_MATCH_TOS
	67	tristate "TOS match support"
	68	depends on IP_NF_IPTABLES
	69	help
	70	TOS matching allows you to match packets based on the Type Of
	71	Service fields of the IP packet.
	72
	73	To compile it as a module, choose M here. If unsure, say N.
	74
	75	config IP_NF_MATCH_RECENT
	76	tristate "recent match support"
	77	depends on IP_NF_IPTABLES
	78	help
	79	This match is used for creating one or many lists of recently
	80	used addresses and then matching against that/those list(s).
	81
	82	Short options are available by using 'iptables -m recent -h'
	83	Official Website: <http://snowman.net/projects/ipt_recent/>
	84
	85	To compile it as a module, choose M here. If unsure, say N.
	86
	87	config IP_NF_MATCH_ECN
	88	tristate "ECN match support"
	89	depends on IP_NF_IPTABLES
	90	help
	91	This option adds a `ECN' match, which allows you to match against
	92	the IPv4 and TCP header ECN fields.
	93
	94	To compile it as a module, choose M here. If unsure, say N.
	95
dc5ab2fa YK	96	config IP_NF_MATCH_AH
dc5ab2fa YK	97	tristate "AH match support"
1da177e4 LT	98	depends on IP_NF_IPTABLES
1da177e4 LT	99	help
dc5ab2fa YK	100	This match extension allows you to match a range of SPIs
dc5ab2fa YK	101	inside AH header of IPSec packets.
1da177e4 LT	102
	103	To compile it as a module, choose M here. If unsure, say N.
	104
1da177e4 LT	105	config IP_NF_MATCH_TTL
	106	tristate "TTL match support"
	107	depends on IP_NF_IPTABLES
	108	help
	109	This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
	110	to match packets by their TTL value.
	111
	112	To compile it as a module, choose M here. If unsure, say N.
	113
1da177e4 LT	114	config IP_NF_MATCH_OWNER
	115	tristate "Owner match support"
	116	depends on IP_NF_IPTABLES
	117	help
	118	Packet owner matching allows you to match locally-generated packets
	119	based on who created them: the user, group, process or session.
	120
	121	To compile it as a module, choose M here. If unsure, say N.
	122
1da177e4 LT	123	config IP_NF_MATCH_ADDRTYPE
	124	tristate 'address type match support'
	125	depends on IP_NF_IPTABLES
	126	help
	127	This option allows you to match what routing thinks of an address,
	128	eg. UNICAST, LOCAL, BROADCAST, ...
	129
	130	If you want to compile it as a module, say M here and read
	131	<file:Documentation/modules.txt>. If unsure, say `N'.
	132
1da177e4 LT	133	# `filter', generic and specific targets
	134	config IP_NF_FILTER
	135	tristate "Packet filtering"
	136	depends on IP_NF_IPTABLES
	137	help
	138	Packet filtering defines a table `filter', which has a series of
	139	rules for simple packet filtering at local input, forwarding and
	140	local output. See the man page for iptables(8).
	141
	142	To compile it as a module, choose M here. If unsure, say N.
	143
	144	config IP_NF_TARGET_REJECT
	145	tristate "REJECT target support"
	146	depends on IP_NF_FILTER
	147	help
	148	The REJECT target allows a filtering rule to specify that an ICMP
	149	error should be issued in response to an incoming packet, rather
	150	than silently being dropped.
	151
	152	To compile it as a module, choose M here. If unsure, say N.
	153
	154	config IP_NF_TARGET_LOG
	155	tristate "LOG target support"
	156	depends on IP_NF_IPTABLES
	157	help
	158	This option adds a `LOG' target, which allows you to create rules in
	159	any iptables table which records the packet header to the syslog.
	160
	161	To compile it as a module, choose M here. If unsure, say N.
	162
	163	config IP_NF_TARGET_ULOG
44adf28f	164	tristate "ULOG target support"
1da177e4 LT	165	depends on IP_NF_IPTABLES
1da177e4 LT	166	---help---
f40863ce HW	167
	168	This option enables the old IPv4-only "ipt_ULOG" implementation
	169	which has been obsoleted by the new "nfnetlink_log" code (see
	170	CONFIG_NETFILTER_NETLINK_LOG).
	171
1da177e4 LT	172	This option adds a `ULOG' target, which allows you to create rules in
	173	any iptables table. The packet is passed to a userspace logging
	174	daemon using netlink multicast sockets; unlike the LOG target
	175	which can only be viewed through syslog.
	176
44c09201	177	The appropriate userspace logging daemon (ulogd) may be obtained from
1da177e4 LT	178	<http://www.gnumonks.org/projects/ulogd/>
	179
	180	To compile it as a module, choose M here. If unsure, say N.
	181
5b1158e9 JK	182	# NAT + specific targets: nf_conntrack
	183	config NF_NAT
	184	tristate "Full NAT"
083e69e9	185	depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
5b1158e9 JK	186	help
	187	The Full NAT option allows masquerading, port forwarding and other
	188	forms of full Network Address Port Translation. It is controlled by
	189	the `nat' table in iptables: see the man page for iptables(8).
	190
	191	To compile it as a module, choose M here. If unsure, say N.
	192
5b1158e9 JK	193	config NF_NAT_NEEDED
	194	bool
	195	depends on NF_NAT
1da177e4 LT	196	default y
	197
	198	config IP_NF_TARGET_MASQUERADE
	199	tristate "MASQUERADE target support"
587aa641	200	depends on NF_NAT
1da177e4 LT	201	help
	202	Masquerading is a special case of NAT: all outgoing connections are
	203	changed to seem to come from a particular interface's address, and
	204	if the interface goes down, those connections are lost. This is
	205	only useful for dialup accounts with dynamic IP address (ie. your IP
	206	address will be different on next dialup).
	207
	208	To compile it as a module, choose M here. If unsure, say N.
	209
	210	config IP_NF_TARGET_REDIRECT
	211	tristate "REDIRECT target support"
587aa641	212	depends on NF_NAT
1da177e4 LT	213	help
	214	REDIRECT is a special case of NAT: all incoming connections are
	215	mapped onto the incoming interface's address, causing the packets to
	216	come to the local machine instead of passing through. This is
	217	useful for transparent proxies.
	218
	219	To compile it as a module, choose M here. If unsure, say N.
	220
	221	config IP_NF_TARGET_NETMAP
	222	tristate "NETMAP target support"
587aa641	223	depends on NF_NAT
1da177e4 LT	224	help
	225	NETMAP is an implementation of static 1:1 NAT mapping of network
	226	addresses. It maps the network address part, while keeping the host
	227	address part intact. It is similar to Fast NAT, except that
	228	Netfilter's connection tracking doesn't work well with Fast NAT.
	229
	230	To compile it as a module, choose M here. If unsure, say N.
	231
	232	config IP_NF_TARGET_SAME
3569b621	233	tristate "SAME target support (OBSOLETE)"
587aa641	234	depends on NF_NAT
1da177e4 LT	235	help
	236	This option adds a `SAME' target, which works like the standard SNAT
	237	target, but attempts to give clients the same IP for all connections.
	238
	239	To compile it as a module, choose M here. If unsure, say N.
	240
807467c2 PM	241	config NF_NAT_SNMP_BASIC
	242	tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
	243	depends on EXPERIMENTAL && NF_NAT
	244	---help---
	245
	246	This module implements an Application Layer Gateway (ALG) for
	247	SNMP payloads. In conjunction with NAT, it allows a network
1da177e4 LT	248	management system to access multiple private networks with
	249	conflicting addresses. It works by modifying IP addresses
	250	inside SNMP payloads to match IP-layer NAT mapping.
	251
	252	This is the "basic" form of SNMP-ALG, as described in RFC 2962
	253
	254	To compile it as a module, choose M here. If unsure, say N.
	255
55a73324 JK	256	# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
	257	# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
	258	# From kconfig-language.txt:
	259	#
	260	# <expr> '&&' <expr> (6)
	261	#
	262	# (6) Returns the result of min(/expr/, /expr/).
f09943fe PM	263	config NF_NAT_PROTO_GRE
	264	tristate
	265	depends on NF_NAT && NF_CT_PROTO_GRE
	266
55a73324 JK	267	config NF_NAT_FTP
	268	tristate
	269	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	270	default NF_NAT && NF_CONNTRACK_FTP
	271
869f37d8 PM	272	config NF_NAT_IRC
	273	tristate
	274	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	275	default NF_NAT && NF_CONNTRACK_IRC
	276
a536df35 PM	277	config NF_NAT_TFTP
	278	tristate
	279	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	280	default NF_NAT && NF_CONNTRACK_TFTP
	281
16958900 PM	282	config NF_NAT_AMANDA
	283	tristate
	284	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	285	default NF_NAT && NF_CONNTRACK_AMANDA
	286
f09943fe PM	287	config NF_NAT_PPTP
	288	tristate
	289	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	290	default NF_NAT && NF_CONNTRACK_PPTP
	291	select NF_NAT_PROTO_GRE
	292
f587de0e PM	293	config NF_NAT_H323
	294	tristate
	295	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	296	default NF_NAT && NF_CONNTRACK_H323
	297
9fafcd7b PM	298	config NF_NAT_SIP
	299	tristate
	300	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	301	default NF_NAT && NF_CONNTRACK_SIP
	302
1da177e4 LT	303	# mangle + specific targets
	304	config IP_NF_MANGLE
	305	tristate "Packet mangling"
	306	depends on IP_NF_IPTABLES
	307	help
	308	This option adds a `mangle' table to iptables: see the man page for
	309	iptables(8). This table is used for various packet alterations
	310	which can effect how the packet is routed.
	311
	312	To compile it as a module, choose M here. If unsure, say N.
	313
	314	config IP_NF_TARGET_TOS
	315	tristate "TOS target support"
	316	depends on IP_NF_MANGLE
	317	help
	318	This option adds a `TOS' target, which allows you to create rules in
	319	the `mangle' table which alter the Type Of Service field of an IP
	320	packet prior to routing.
	321
	322	To compile it as a module, choose M here. If unsure, say N.
	323
	324	config IP_NF_TARGET_ECN
	325	tristate "ECN target support"
	326	depends on IP_NF_MANGLE
	327	---help---
	328	This option adds a `ECN' target, which can be used in the iptables mangle
	329	table.
	330
	331	You can use this target to remove the ECN bits from the IPv4 header of
	332	an IP packet. This is particularly useful, if you need to work around
	333	existing ECN blackholes on the internet, but don't want to disable
	334	ECN support in general.
	335
	336	To compile it as a module, choose M here. If unsure, say N.
	337
5f2c3b91 HW	338	config IP_NF_TARGET_TTL
	339	tristate 'TTL target support'
	340	depends on IP_NF_MANGLE
	341	help
	342	This option adds a `TTL' target, which enables the user to modify
	343	the TTL value of the IP header.
	344
	345	While it is safe to decrement/lower the TTL, this target also enables
	346	functionality to increment and set the TTL value of the IP header to
	347	arbitrary values. This is EXTREMELY DANGEROUS since you can easily
	348	create immortal packets that loop forever on the network.
	349
	350	To compile it as a module, choose M here. If unsure, say N.
	351
1da177e4 LT	352	config IP_NF_TARGET_CLUSTERIP
1da177e4 LT	353	tristate "CLUSTERIP target support (EXPERIMENTAL)"
2b8f2ff6	354	depends on IP_NF_MANGLE && EXPERIMENTAL
587aa641 PM	355	depends on NF_CONNTRACK_IPV4
587aa641 PM	356	select NF_CONNTRACK_MARK
1da177e4 LT	357	help
	358	The CLUSTERIP target allows you to build load-balancing clusters of
	359	network servers without having a dedicated load-balancing
	360	router/server/switch.
	361
	362	To compile it as a module, choose M here. If unsure, say N.
	363
	364	# raw + specific targets
	365	config IP_NF_RAW
	366	tristate 'raw table support (required for NOTRACK/TRACE)'
	367	depends on IP_NF_IPTABLES
	368	help
	369	This option adds a `raw' table to iptables. This table is the very
	370	first in the netfilter framework and hooks in at the PREROUTING
	371	and OUTPUT chains.
	372
	373	If you want to compile it as a module, say M here and read
	374	<file:Documentation/modules.txt>. If unsure, say `N'.
	375
1da177e4 LT	376	# ARP tables
	377	config IP_NF_ARPTABLES
	378	tristate "ARP tables support"
a3c941b0	379	select NETFILTER_XTABLES
1da177e4 LT	380	help
	381	arptables is a general, extensible packet identification framework.
	382	The ARP packet filtering and mangling (manipulation)subsystems
	383	use this: say Y or M here if you want to use either of those.
	384
	385	To compile it as a module, choose M here. If unsure, say N.
	386
	387	config IP_NF_ARPFILTER
	388	tristate "ARP packet filtering"
	389	depends on IP_NF_ARPTABLES
	390	help
	391	ARP packet filtering defines a table `filter', which has a series of
	392	rules for simple ARP packet filtering at local input and
	393	local output. On a bridge, you can also specify filtering rules
	394	for forwarded ARP packets. See the man page for arptables(8).
	395
	396	To compile it as a module, choose M here. If unsure, say N.
	397
	398	config IP_NF_ARP_MANGLE
	399	tristate "ARP payload mangling"
	400	depends on IP_NF_ARPTABLES
	401	help
	402	Allows altering the ARP packet payload: source and destination
	403	hardware and network addresses.
	404
	405	endmenu
	406